After 2020 and the delivery of new vaccines for COVID-19, there are reasons to be more positive about the future of business. However, all the changes that took place in 2020 have forced a rethink on how and where we work. These changes will be with us for months to come, if not permanently. The shift, triggered by COVID-19, will double the number of people working remotely on a permanent basis to 34.4% of all employees according to Enterprise Technology Research. Technology companies are leading this move – Mark Zuckerberg estimates that around 50% of all Facebook staff will be remote in the future, Twitter and Square have made their remote working approaches permanent, and Google will be remote until at least September 2021.
Remote work does put more pressure on the technology that companies have in place, and on the staff responsible for managing and securing it all. For many IT teams faced with a forced work-from-home scenario, remote working had to be implemented quickly. Stopgap approaches and old implementations which were largely designed for on-premises access control and security suddenly had to scale up far beyond what was initially in place. What is important heading into 2021 is that we look at what went well, what has to change, and what lessons we can learn.
Identity management and consolidation
Usage patterns around remote working are very different in a remote/work from home world, compared to more traditional office working. In the office, workers tend to be on one stable and secure network, and they will use one or two devices. When working from home or remotely, the potential number of devices, locations and networks used goes up for each user. Further, devices unknown to the company, and therefore not up to corporate security standards, may be used to access critical resources.
At the same time, remote management of these devices in various forms will present unique challenges. Rather than the homogenous IT environments of the past based on a standard set of operating systems, applications and services, IT teams will have to work with and support a variety of different resources. These services, operating systems and devices will come from a range of different manufacturers and providers – while the AWS cloud / Google Workspace / MacOS device trifecta is common for tech workers, there will be a plethora of combinations to support.
In practice, centralizing and managing a user’s identity across this disparate infrastructure is critical for organizations to onboard, offboard, and control access to resources. Who someone is becomes the only constant when users are working from their phones, tablets, home computers and work machines. The traditional approach to this would be to use a directory. However, this approach is getting more convoluted to make work.
Conditional access – should you be allowed in?
Rather than a binary approach to identity, e.g. you either can or cannot get into a resource with your password, admins should be able to set conditions to access management based on situations. This involves looking at policies on how and when to grant access to applications and data using a combination of factors.
The first of these is the user identity – is the right user attempting to access the resource? This is the starting point for identifying a user, so using strong authentication and multiple factors around identity should be essential. For example, a standard user name and password combination should be supplemented with multi-factor authentication such as a token or phone app. When so much depends on identity, this should default to being as secure as possible.
The second item to consider is the device that an employee might use – is the right or trusted device being used to access the resource? Having a list of devices that are known to be ‘good’ alongside a correct user identity can make it easier to ensure that someone is who they say they are. Even if someone does hijack a user identity through a combination of credential theft or poor password hygiene, using a ‘known device’ approach means that an attacker can’t get access.
The third consideration here is the network – is the user connecting to a resource through a known network? If you are on a company owned and managed network, then that acts as a form of authorisation – after all, you have to be allowed access to the physical building in order to log on. Knowing which networks and IP addresses users will be communicating through for work can therefore be a useful additional factor today when workers are not coming into the office. Verifying and ‘trusting’ home IP addresses alongside user identities and devices can therefore ensure that people are who they say they are.
Combining these together can help make it easier for employees to work in flexible ways when they are remote while also keeping security high. The policies can also be tuned to support specific roles or behaviours – for example, someone who is expected to work from a home network can have a strict policy when it comes to location that stops any access from unknown IP addresses. Meanwhile, someone that will work from multiple locations can have more restrictions on the device they use and have to use multi-factor authentication, but they will have the freedom to connect from different locations.
Getting the policy side right here is about putting the right conditions in place to allow access, rather than locking down and restricting access. This should be about making it easier for IT to manage identities and keep things secure without getting in the way of how people work every day.
Zero Trust and identity
Setting up the right conditions to allow verified access helps IT keep control and establish a Zero Trust approach to security. This involves making each component within IT treat others like they are not secure, rather than inherently trusting that the network or a device is secure automatically. Putting more emphasis on identity first helps with the “verify everything” model at the heart of Zero Trust, as it can link all activity and authorisation back to the user.
In practice, this should make the process around security easier through setting up and defining policies to help the user as well as checking that all the necessary security rules are being followed.
Under Zero Trust, all users and resources must be verified and authenticated in order to access services or applications. Alongside this, system data must be collected and analysed for potential risks over time, while network access and traffic must be limited and monitored to what is needed. While it may seem to be on the paranoid side, Zero Trust security is rooted in the realities of today’s computing infrastructure. With no reliable perimeter in place any longer, managing security involves putting in the same approach from any perimeter to core IT systems and across all devices.
The challenge with remote working is that identity is the only point of consistency for security over time. By looking at conditional access and policies, you can apply the right “never trust, always verify” approach to user accounts and achieve consistent security.